Grants a role to the specified logins, users, or system or user defined roles.
grant role role_name
[where pred_expression]
to {username | rolename | login_profile_name }
is the name of a system- or user-defined role that the system security officer is granting to a user or a role.
also referred to as a role-activation predicate, this is a SQL condition that must be satisfied when the named role is activated. pred_expression may be used only when granting a role to username or login_profile_name.If pred_expression evaluates to FALSE when the role is activated, the set role command fails and Adaptive Server returns an error message. If the role is specified for automatic activation or is a default role, Adaptive Server silently fails the activation but does not fail the login process.
identifies the name of the login, role or login profile to which you are granting the role. When the grantee is a login profile, all users with this login profile are granted the role.
Grants the role “doctor” to Mary:
grant role doctor_role to mary
By granting intern_role to doctor_role, a doctor inherits all the privileges of an intern.
grant role intern_role to doctor_role
User Smith, with manage roles privileges, grants the nurse_role to user John, with user roleAdmin as the grantor.
grant role nurse_role to john granted by roleAdmin
Grants role ldap_user_role to login profile lp_10:
grant role ldap_user_role where get_appcontext(login_authentication) = 'LDAP' to login_profile lp_10
Using the above example, when the session of a user assigned login profile lp_10 enables ldap_user_role, Adaptive Server checks that the session connected using LDAP. If there was an LDAP connection, the user assumes ldap_user_role; if not, ldap_user_role is not enabled. Configure the predicate evaluation to occur automatically during login by altering login profile lp_10 and specifying ldap_user_role on the auto activated roles attribute. Otherwise, the evaluation of the role activation predicate occurs when the user assigned lp_10 executes the set role statement.
Adaptive Server automatically activates roles granted to logins or login profiles (after evaluating any predicate) when the user logs in if create login, alter login, create login profile, or alter login profile specify the role for automatic activation. Otherwise, Adaptive Server activates the role when set role is executed. Adaptive automatically activates a role granted to another role when the dependent role is activated.
You can use the grant command to grant permissions to all users who have been granted a specified role. The role can be either a system role, like sso_role or sa_role, or a user-defined role. The system security officers must create the user-defined roles using a create role command.
The permission checks for grant role differ based on your granular permissions settings.
Granular permissions enabled |
With granular permissions enabled, you must be a user with manage roles privilege. |
Granular permissions disabled |
With granular permissions disabled, you must be a user with sso_role. To grant sa_role, you must be a user with sa_role. |
Values in event and extrainfo columns of sysaudits are:
Event |
Audit option |
Command or access audited |
Information in extrainfo |
|---|---|---|---|
85 |
roles |
create role, drop role, alter role, grant role, or revoke role |
|
